Vehicles may be equipped with passive electronic entry systems generally referred to as remote keyless entry (“RKE”) systems. Such RKE systems allow entry into the vehicle without using a conventional, mechanical key. Passive RKE systems operate without the vehicle operator activating any push-buttons on the fob itself. A passive RKE may use a low frequency (“LF”) radio signal that is transmitted by the vehicle to a fob carried by the vehicle owner. The fob automatically responds by returning a radio frequency (“RF”) signal back to the vehicle. Upon receipt of a proper RF response signal, the vehicle will unlock the doors to permit driver entry into the vehicle.
Specifically, in a passive RKE system, the fob/vehicle interaction may be initiated by the operation of the door handle. Upon detection of contact with the door handle, the RKE controller at the vehicle will trigger an LF transmitter inside the vehicle. The vehicle-based LF transmitter will create an LF field in the vicinity of the vehicle door that will, in turn, be detected by an LF receiver inside the fob. Upon detection of a proper LF field, the fob will transmit a response command signal back to the vehicle using a digital message encoded on a RF signal. The RF receiver inside vehicle will decode the digital message and, if the content of the message is satisfactory, will unlock the vehicle doors. Similar methods are sometimes used for enabling an “engine start” button on the dashboard of the vehicle.
Identification codes and encryption are conventionally used to ensure that the LF-RF communication link between the fob and the vehicle is secure. Such codes and encryption are very difficult to duplicate. Therefore, the fob message required to gain entry into the vehicle cannot readily be synthesized by a thief. However, even with such codes and encryption, potential vulnerabilities still exist. Two thieves working in concert can trigger, intercept, and generate a bona fide fob response signal to trick the vehicle RKE system into believing that the owner's authorized fob is near the vehicle, when, in fact, the owner's authorized fob is well away from the vehicle.
For example, assume that the vehicle owner is away from the vehicle with the authorized fob. Two thieves want to gain access to the vehicle. A first thief stays close to vehicle and the second thief stays close to the owner. Both thieves have an LF receiver and a repeater (transceiver). The first thief approaches the vehicle and lifts up the door handle, which triggers the vehicle-based LF transmitter. The first thief's LF receiver receives the information transmitted by the vehicle-based LF transmitter. The first thief will then transmit the signal to the second thief through RF. The second thief's transceiver receives the information sent by the first thief and transmits an LF signal, with the appropriate information to the authorized fob carried by the vehicle owner. The owner's authorized fob receives the signal and transmits an RF command signal (the response signal) to unlock the vehicle door. The second thief's transceiver receives the command signal and then re-transmits the signal back to first thief. The first thief's transceiver receives it and re-transmits the command signal to the RF receiver inside the vehicle. The vehicle receiver recognizes the command since it originated from the authorized fob and unlocks the car door allowing the first thief to gain access to the vehicle.